Hybrid GAN-LSTM for Enhancing DDoS Detection on Imbalance Dataset

The development of technology in the Internet network today is fast, as shown by dependence on the Internet, which ranges from the fields of education, economics, and communication [1]. However, this rapid development is accompanied by threats that can disrupt the resilience of network infrastructure, such as Distributed Denial of Service (DDoS) attacks. DDoS attacks threaten institutions, organizations, and enterprises by flooding network resources and disrupting the services used [2]. Although many DDoS attack mitigations are developed in industry as well as in academia, the threat of DDoS attacks can still have a severe impact and increase every year [3]. Distinguishing between DDoS and true or legitimate traffic is a complex task. Therefore, a tool that has a robust DDoS defence mechanism is needed [4].

Currently, the method to detect DDoS is to compare normal traffic statistics with DDoS seen from several parameters such as average of packets per flow (APF), average of bytes per flow (ABF), average of duration per flow (ADF), percentage of pairflow (PPF), grows of single-flow (GSF) and grows of different port (GDP) [5]. Sometimes these methods have difficulty in distinguishing between the two types of network traffic or inaccurate classification (false positive and false negative results) [6]. Better tools in detecting malicious attacks are needed to address the previously mentioned weaknesses to improve cybersecurity. Neural networks excel at identifying these intricate patterns because of their ability to learn from large datasets and recognize subtle relationships between different data points. An example of a DDoS attack happened on Singapore public health services [7], which services, including emails, webpages, and staff tools, were unavailable at that period. DDoS attacks stop legitimate users from accessing websites by flooding them with junk internet traffic. Healthcare and other services like finance, education, vehicles, and all internet-connected devices can also be impacted by this [8]. Since this threat can be felt in various sectors, addressing security concerns is crucial.

In order to address the issue of data imbalance, this research intends to examine classification algorithms by introducing synthetic data. It is done by using imbalance synthetic data on the experiment. The objective of this research is: first, to find out the effect of data imbalance on DDoS attack classification using the Deep Learning Long Short-Term Memory (LSTM) method; and second, to provide insight into the impact of creating synthetic data for balancing using Generative Adversarial Networks on LSTM methods. Specifically, this research uses the CICDDoS2019 dataset to compare the performance of both test dataset conditions using LSTM.

The LSTM network is great for classifying the type of attack for datasets in the time series format, such as CICDDoS2019. Still, it struggles with imbalance data set, leading to varied performance across the classes. Thus, the model has problems in classifying the imbalanced minor classes and weak performance on the tasks of intrusion detection.

To mitigate this issue, this study looks into the application of Generative Adversarial Networks (GAN) as a technique for data balancing. It can balance the data set and subsequently increase the classification performance for the less dominant types of attacks by creating synthetic samples for these minority classes. The focus is to show that combining GAN to LSTM can increase the performance, ensuring a more reliable and secure intrusion detection system.

The paper is organized to guide the reader to better understand DDoS attacks and their detection. Section I explains the trend of DDoS detection, highlighting the significant problems and challenges they cause. Section II covers existing research on DDoS attack detection and presents a comprehensive survey to put current work in a better perspective. Section III discusses the methods, explaining different approaches for detecting DDoS using comparative analysis such as balancing methods and classification techniques. In Section IV, the evaluation as well as results analysis are presented, aiming at critically assessing how effective this method is. Lastly, Section V presents conclusions to summarize what was discovered from this study and its implications for future research.

The method we use starts with data collection which is a combination of 2-day DDoS records from the dataset. The dataset is then preprocessed by removing unnecessary columns. The GAN will be trained to use a regular neural network to create a fake dataset which is then combined with the original data. The new dataset formed is then divided into training data and test data. LSTM which then extracts the features and provides classification results. The model will be evaluated using graphical loss and validation analysis as well as a classification report. Figure 1 describes the flow of the method and Figure 2 describes its main framework. A more complete explanation is described in detail as follows.

1.png

Figure 1. Flow of the method

2.png

Figure 2. Main framework

3.1 Data preprocessing

The raw data is preprocessed so that the dataset matches the format structure that is suitable for the model. Then it can be proceeded with reducing or removing noise and redundant data [18]. El Sayed et al. [19] stated that removing noisy data can improve the performance of the model. Preprocessing steps used in this study are as follow.

3.3.1 Handling missing value

Missing values exist due to incomplete or inadequate data collection, data collection corruption, and sensor errors on the tool [20]. Missing values will interfere with the understanding and performance of deep learning models; therefore, they need to be removed [21]. The process of removing missing values in the proposed model starts by checking whether the dataset has missing values.

3.1.2 Categorical data

The dataset has some categorical data, such as Unammed: 0, Flow ID, Source IP, Destination IP, Source Port, Destination Port, timestamp, and Label. We dropped categorical data other than Label because it does not provide information that could be used as a classification parameter. The value in the Label column was converted to a numeric value. This approach can facilitate label manipulation and analysis.

3.1.3 Data characteristics

In this context, Standard Deviation (SD) is used as a reference, which shows the size of variations scattered in data [22]. The higher the SD, the higher the variation in the data. Because of the variations in the data, it is necessary to normalize so that the features in the dataset have a similar scale.

The column with SD equal to zero is deleted. SD equal to zero means that there is no variation in the column so that it cannot provide enough information in the classification process. The dataset at this point has 66 features that have a variety of data and valuable information so that it can be analyzed further.

3.1.4 Normalization

Original data is rescaled using measures of mean and standard deviation so that the resultant feature has unit variance and zero mean [23]. The result of the process is a normalized dataset. Inside the process, the original relationships between data points within the dataset is preserved and the varying scale and distribution is eliminated.

3.1.5 Train-test split

For features that function as characters from the data are entered first into the x variable and for the data the label is entered into the y variable. The two variables were split with a train ratio of 75% and a test of 25%.

3.2 Synthetic data generation

GAN is based on two functions, namely Generator (G) and Discriminator (D). The task of G is to maximize the probability of D making errors in a competitive manner. GAN model is executed for each dataset contained in CICDDoS2019 dataset. Figure 3 describes the GAN architecture used in this study.

3.png

Figure 3. GAN architecture

Original Data: This study uses the CICDDoS2019 dataset, consisting of various network requests to servers. The available request types are normal and DDoS attacks such as UDP floods, Syn floods, and application layer attacks such as HTTP floods. This dataset is a valuable material in testing DDoS attack detection performance using DL and ML techniques [24].

Generator: Generators are trained to create fake data to minimize the difference between real and synthetic data. Noise was generated using gaussian because it has a character that can represent variations that occur under normal conditions.

Discriminator: Discriminator is trained to differentiate between fake and real data. All data, real and fake are then entered into input layer and the discriminator will detect it with output of probability score indicating the likelihood of the input are real or fake.

Classification Error: Binary Cross Entropy is employed as classification error. This method is to give feedback to discriminator and generator as a result it can determine fake and real dataset and also creating a better fake dataset for the generator.

Eqs. (1)-(3) demonstrate the objective function of minimax in GAN:

$\min _G \max _D V(D, G)=A+B$                 (1)

where,

$A=E_{x \sim p_{{data }}(x)}[\log (D(x))]$           (2)

and

$B=E_{z \sim p_z(z)}[1-\log (D(G(z)))]$              (3)

The generator is denoted by G, the discriminator is D, real data samples is x, and the noise is z is extracted from the distribution D with the specified standard deviation. The probability of the distribution of random noise is denoted by $p_z(z)$, while the probability of the distribution of real data is denoted by $p_{{data }}(x)$.

${Loss}_D=-\log \left(D\left(x_{{real }}\right)\right)-\log \left(1-D\left(x_{ {synthetic }}\right)\right)$       (4)

One step in the GAN training process is optimizing losses, which is the difference between the target labels and the generated samples. In Eq. (4), the discriminator aims to minimize its own losses and maximize generator loss. The generator is updated throughout training by back-propagating errors using the GAN. The generator's weight is updated using the Adam optimizer, repeating this procedure up to 20,000 epochs until it produces a sample of data that accurately reflects reality.

3.3 LSTM classification

LSTM is a Recurrent Neural Network (RNN) model that can be used on time series data, especially text categorization, sentence generation, and machine translation [25]. Because the data used in this study is time series, LSTM is suitable for use.

The dataset resulting from the GAN generation is then combined with the original dataset, which is then fed into the LSTM model as in Figure 4. The results of the classification are then evaluated.

4.png

Figure 4. LSTM architecture

3.4 Hardware and software

The experiment was done using Python 3.10, where the device has an Intel Core i5-12400F processor, 16GB DDR4 RAM memory with a 12GB Zotac RTX 3060 GPU. This study relies on Tensorflow 2.10. and the excellent scikit-learn 1.3 library in dataset management for classification.

The Hybrid GAN-LSTM model demonstrates promising results in the detection of DDoS attacks. This approach successfully generates synthetic data of a quality comparable to the original dataset, as evidenced by the improved performance metrics. In this study, LSTM was utilized as a multiclass classification method to assess how the inclusion of synthetic data influences the performance. When the combined dataset, consisting of original and synthetic data, was used, there was an improvement in both accuracy and F1-score metrics.

This augmentation method enables the model to better identify different types of multiclass attacks, as synthetic data generation provides more generalized and balanced data. Consequently, the model benefits from an enhanced ability to distinguish between various attack types, leading to greater overall reliability and robustness.

However, challenges remain for future research, particularly in conducting a more detailed evaluation of the quality of the generated synthetic data. By identifying the specific characteristics of the generated data, it will be possible to design more effective improvement methods, further advancing the efficacy of DDoS attack detection systems.